Epic Games blasts Google for disclosing Fortnite Android exploit early

The vulnerability has now been patched

In brief: Earlier this month, rumors that Epic Games wanted to avoid Google's 30 percent revenue cut by distributing the Android version of Fortnite outside the Play store proved to be true. While the move means more money for the developer, there were worries that it could bring security risks to Android users—and it looks as if those fears were justified.

While it’s certainly not 100 percent safe, the Google Play Store does offer some protections, and sideloading the Fortnite installer means allowing installations from unknown sources—something that’s not recommended, especially as some users may forget to disable the permissions afterward.

It was security researchers from Google who publicly disclosed the problem on its Issue Tracker site—whether Fortnite's absence from the Play store motivated Google to investigate the app thoroughly is unknown.

The vulnerability in the Android Fortnite Installer would allow malicious apps already present on a user’s phone to hijack the installation procedure and download other malicious applications with extra permissions—a Man-in-the-Disk (MitD) attack.

MitD attacks are made possible when Android apps store data on External Storage space, which is shared by all apps, rather than Internal Storage space, aka System Memory. And as the Fortnite installer only checks the name of the APK, any file called “com.epicgames.fortnite” would be installed.

"Any app with the WRITE_EXTERNAL_STORAGE permission can substitute the APK immediately after the download is completed and the fingerprint is verified. This is easily done using a FileObserver. The Fortnite Installer will proceed to install the substituted (fake) APK," wrote Google engineer Edward.

Thankfully, Epic released a patch that addressed the Fortnite installer vulnerability within 48 hours of its discovery (August 15). The company requested that Google not disclose the details until after 90 days, giving users plenty of time to update their apps and to prevent hackers exploiting the bug.

However, Google’s guidelines state that while the official period for public disclosure is 90 days, it will disclose a vulnerability once a patch has been made widely available. Therefore, the company ignored Epic’s request and shared the details once the patched version of the installer had been available for seven days.

Epic genuinely appreciated Google's effort to perform an in-depth security audit of Fortnite immediately following our release on Android, and share the results with Epic so we could speedily issue an update to fix the flaw they discovered.

However, it was irresponsible of Google to publicly disclose the technical details of the flaw so quickly, while many installations had not yet been updated and were still vulnerable.

An Epic security engineer, at my urging, requested Google delay public disclosure for the typical 90 days to allow time for the update to be more widely installed. Google refused. You can read it all at https://issuetracker.google.com/issues/112630336

Google's security analysis efforts are appreciated and benefit the Android platform, however a company as powerful as Google should practice more responsible disclosure timing than this, and not endanger users in the course of its counter-PR efforts against Epic's distribution of Fortnite outside of Google Play.

Sweeney revealed in a tweet that Google’s decision to disclose early could have been because it knew there weren’t many unpatched installs remaining.

Google did privately communicate something to the effect that they’re monitoring Fortnite installations on all Android devices(!) and felt that there weren’t many unpatched installs remaining.